Mark Nestmann: Hackers Can Unfreeze Your Frozen Credit Records

Guest Post by Mark Nestmann from this his blog on Nestmann.com:

Back in May 2017, credit bureau giant Equifax had virtually its entire database of consumer credit reports stolen by hackers – more than 148 million in all. The attack occurred because Equifax failed to patch a software vulnerability it had known about months before the breach occurred.

I was one of the victims. If you’re an adult living in the United States, your files were likely compromised as well.

But unlike many of the victims, I wasn’t especially concerned about the breach. A big reason was that in response to previous attempts to steal my identity, I had placed a security freeze on my credit files.

A security freeze limits access to your credit report to companies that already have you as a customer. If you have a security freeze in effect and a hacker succeeds in impersonating you, they’ll find it almost impossible to benefit financially from having your information.

Credit bureaus hate security freezes, because they can no longer sell your data to the highest bidder. Instead, they’ll try to persuade you to sign up for a “credit lock” and credit monitoring services. Essentially, you pay a monthly or annual fee (which is often waived) for the privilege of having the company who should be keeping your data safe notify you when they fail to do so.

Don’t be fooled. A credit lock is only an agreement between you and the credit bureau. You’re bound by the restrictions in the fine print of the agreement, rather than by your state’s security freeze law. All 50 states have such laws in effect.

However, once you set up a security freeze, you might discover that hackers have unfrozen it without the credit bureau informing you. That’s the case with Experian, which doesn’t confirm you’ve lifted a security freeze unless you subscribe to the company’s credit lock service. This service costs $25 per month. One victim named John only found out the security freeze on his account had been lifted after receiving an email from Experian informing him the email address on his account had been changed.

Apparently, a hacker used Experian’s automated “forgot email/username” feature and was able to convince the credit bureau that they were John after correctly answering a handful of questions drawn from public records. The hacker then changed John’s email address, password, and PIN, locking him out of his own account. They also removed the security freeze.

John couldn’t reset his Experian password because the reset links he requested were sent to the hacker’s email address. He regained access to his credit account and reimposed the freeze only after a lengthy authentication process over the telephone.

This vulnerability is apparently unique to Experian. Both Equifax and TransUnion, the other two big consumer credit reporting bureaus, send emails to the address on file asking to validate account changes.

It’s simply inexcusable that in 2022, Experian doesn’t offer multi-factor authentication for resetting a security freeze. The company compounds the problem by “verifying” your identity using data from public records that can often be easily guessed by identity thieves.

However, this should hardly be a surprise. You don’t own the data in your credit records – the credit bureaus do. Indeed, these companies make billions of dollars in profits annually selling your data.

In the meantime, a class action lawsuit has been filed against Experian in California. The lawsuit alleges that Experian’s shoddy security practices violate the Fair Credit Reporting Act. This law, enacted in 1970, regulates data collected by consumer reporting agencies such as credit bureaus, medical information companies and tenant screening services.

We wish the plaintiffs the best in their fight to force Experian to change its attitude of depraved indifference to data security. But we’re not anticipating any significant legal breakthrough. As is usual in lawsuits of this kind, the only people who are likely to receive any money are the attorneys who filed it – assuming the lawsuit isn’t dismissed entirely.

In the meantime, we suggest you adopt the attitude we have regarding computer security in general. Instead of assuming our data is safe in the hands of third parties, we take it for granted that it’s not.

We understand that hackers have access to data that we once believed was private and that it might as well be pasted on the front page of The New York Times. And we grudgingly accept the fact that every database that stores this information has likely been compromised.

This status won’t change until lawmakers recognize that everyone has an ownership right to their own data, including data held by third parties. Ownership over your own data would give you the right, but not the obligation, to share it with others.

Your data has value. If you owned it, you’d receive a tiny royalty every time someone accessed it. You could also restrict your data flow if you chose. The blockchain technology that underpins cryptocurrencies could pave the way for secure markets for personal data, making credit bureaus obsolete and putting you in control of your data.

But until then, your only recourse is to take steps to protect yourself. And a security freeze – one that in Experian’s case you have to periodically reconfirm is still in effect – should be at the top of your list.

Guest Post by Mark Nestmann from this his blog on Nestmann.com.

Leave a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.